Security News > 2021 > July > Critical Vulnerability Found in Sunhillo Aerial Surveillance Product

Critical Vulnerability Found in Sunhillo Aerial Surveillance Product
2021-07-27 13:02

An unauthenticated OS command injection vulnerability in the Sunhillo SureLine application could allow an attacker to execute arbitrary commands with root privileges, according to security researchers with the NCC Group.

Sunhillo is an established name in aerial vehicle surveillance and tracking, and SureLine represents the core software that powers the company's surveillance tools and products.

Tracked as CVE-2021-36380, the critical OS command injection flaw that NCC Group's Liam Glanfield discovered could allow an attacker to establish an interactive channel with the affected device, taking control of it.

Cgi script, which "Directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input," Glanfield explains.

Command injection was possible using $() and running the arbitrary commands within the parenthesis.

The vulnerability was reported to Sunhillo on June 21 and a patch was released on July 22, in Sunhillo SureLine version 8.7.0.1.1.


News URL

http://feedproxy.google.com/~r/securityweek/~3/Rh5SjE28APM/critical-vulnerability-found-sunhillo-aerial-surveillance-product

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-08-13 CVE-2021-36380 OS Command Injection vulnerability in Sunhillo Sureline
Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.
network
low complexity
sunhillo CWE-78
critical
 9.8
9.8